Bill Would Require Companies To Notify Customers When Accounts Are Hacked
The measure, introduced in the Senate, follows a similar law in California that takes effect next week
WASHINGTON (AP) -- Embarrassed businesses and government agencies would have to notify consumers under a proposed law if hackers break into computers and steal some types of personal information, including Social Security numbers, driver's license numbers and credit card information.
The bill, introduced by Sen. Dianne Feinstein, D-Calif., a senior member on the Judiciary Committee, follows a similar California law with slightly tougher provisions that takes effect next week.
Both Feinstein's proposal and the new California law contrast with efforts by the Bush administration to keep from the public details about major computer crimes to encourage hacking victims to notify the FBI and other government investigators. The FBI director and some top U.S. prosecutors assured technology executives just months ago they will increasingly work to keep secret the names of companies that become victims to major hacking crimes.
The proposed federal law would not affect the new California law, the first of its kind in the nation. But it would prevent other states from passing similar statutes.
Unlike California's new law, the federal law would not allow consumers to sue companies for failing to notify them and it gives companies more flexibility in how they make such announcements.
Still, consumer groups and others praised the effort.
"It's a really important step forward," said Chris Hoofnagle, deputy counsel at the Washington-based Electronic Privacy Information Center. "Individuals do not have this right to notice now."
Feinstein's bill would require companies or government agencies to notify customers "without unreasonable delay" if they discover hackers stole unencrypted lists of account information stored on their computers, unless police order them not to disclose it.
Companies or agencies could send written letters or e-mails to their consumers. If the hacking affects more than 500,000 customers or would cost a company more than $250,000 to notify customers, victim companies could report details about it with a "conspicuous posting" on their Web site or notify major media organizations.
The California law includes a similar provision for wide-scale hacking but requires victims in those cases to publish details on their Web sites and notify media organizations.
Companies or agencies that fail to comply could be fined under the bill up to $5,000 per violation, or up to $25,000 each day. It assigns responsibility for enforcing the law on state attorneys general and requires states to notify the Justice Department before filing a complaint.
The bill also includes an important exemption for businesses such as credit-card companies that employ security programs that block unauthorized transactions before they're charged to customers and that already notify customers of fraudulent transactions.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.